From e8dfe68ada97be79c929d00fb0cd9561127cfa1f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 29 Sep 2017 14:22:40 +0200 Subject: [PATCH] * Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290 - Allow virtlogd_t domain to write inhibit systemd pipes. - Add dac_override capability to openvpn_t domain - Add dac_override capability to xdm_t domain - Allow dac_override to groupadd_t domain BZ(1497081) - Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) --- container-selinux.tgz | Bin 7009 -> 7086 bytes policy-rawhide-base.patch | 168 ++++++++------ policy-rawhide-contrib.patch | 410 +++++++++++++++++------------------ selinux-policy.spec | 9 +- 4 files changed, 307 insertions(+), 280 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index c35637b8ae532588228f70333da916df5c8aa252..50495508e3d8ec07ea4b07a34be883c830ffe6db 100644 GIT binary patch delta 7080 zcmai$MOc)N!?h8RMpBTLkZzD12k8zahsL418y>nlesq_VbaxF1LpMl|bhqU9U%tEV zy3XR<+q1dPmcTDTfF>FP$zEgvf`oEna1{SXAZc>(phuz>#gnnt0<<&u2DJQzJqhI$ zOo@NY=}5!rLDf`zx)5iWICmv9@YrIcc|jXR$D&YO=l7LJZiQa+S&qbL=tmuKsx(EZ z^mn7uRfk-buF&h3=ev8K=N&wUc_XMU+q~g`KH*VnKgE+qs9QR^bUG8@-S^Y*$tz)i>zWRup~_co zJD(%C`CT;QkV3}S8jSZZT?)|xR@=~59~Lfu$T=K=7yg<-512bEMmm$u3x zbmL_AETj8_m~)DbN8a2lGQ`MtYa0C6!!|BKzDQf$!q>Az^>THNt}Xa!!@6E&XwX+R zbST8@L&Y}J^No-7a%@H!Uy`S&xoWmJW6CQ}HlZ_5yv`TZi)KM?1vBXque(cN+Bd)( zjgsc2?N^eBLjd5EWiC(8yE`}co751uTj1O5hv)2|W;j`rL*zjrm%a507pG+=Wo?*7 zHe|c`cA5{_qGnt@eDDE>*WuPA$5;7#8S=leoJ1eFFN#?tkIl;alq2UOWxru<4cqnt zK|nBG<|7yXp_9CQ1%pBh3qQV%oQ8H%Uy7_3tV;6ZYa;M4!#5E;>_$8W7m!4t6}-yo zgoygl{u6=es7U)Xx5W<7@O5Cu)V;Z?YCz<_?WtI}vKM9)TehdJ9uUTff6{}6*4bA2 zDvy$pzT@P%%7WE>^#hmt+gaD}TKrS+cu4u1@YFEDFBa?`pobV2`?`+1!X#0`@-fZO z1w=b0xsoi8g3Gi_ZEPjmt_HcP6zLlFO}OL}_!$OQtb=|3a6X-`sL9e&?8aS?UzqHN zLI-qN9tBrN$yJzj$j|)PORe^bh`9N)+G|7kk<+G%7o)o?@O8Zp*x>3Q{dcng{8Lzf z%q&&%=a$mXhxhYtA!+cLT*-cgg-2%zWfpfEAuyn{qAf$P>$ygG>ZWB4y_}a*wPKFQ z9vkK`sw?Htk%%U(D1=*5YAerM`I4!;eL%T4*?4!norBEtEzy`{%qJ5ewAJYENqF}} zBe}HIT=e>#U*8z@-sc59@?|nxeF&GP1kIIO@ntXxSLqx1tBD1~TtXHMB^Bk!EyF>^ zOA@z4#pT$182nbZ;b!w-WrKbc+zr+V<87y*g20Id@bq;Aw17*4M}mJE_SV3I8OcFq${)J3GCp5}bdAOmgY45`*G3mH34C8mf_|yCFe)^66fM<|CxdrIyvEAoPdPZsa=pec=eHfs>jgggg=9b}rG~f!a+< z+TgU!+n$9tgLLPuM&~Pnj;rDK9@tY(DVgfLO4L~+VgAj&%pJp<$pooJ#T^bfZ9(zN zXfMDGZU6aogu2M^w(zkdsyEd@k-&T#2bG7cZz`LQXWf*0?X&gd<=iW-%+aqqhuJl= z?|--=+qtruA>;|SHrPKFO4FWU&`6bXaYOR#lz$qkRuYzmq z(YtmA$X03^cAifb^E!C>jR2RkO1d-Zh{m63eepF0VP8r)7Rg5yu&^qQ)owHjfJJtQFD%i6`mdED?o5lI4zYgwa>_W3bRc>eNkHKBqoCQw!gK-4F#%da6#C3(vN2&b{|Vgw8j$SRi_1lc=IVMHrTkIess3jn zvOrLeSra@%Wgt!t0s|AW!++F<+gZhCJ2{It*C=JZnAk9ea~sH0>=^fIwD$^DRJA+8 zi}FX`aSwU3Ng68D#vMG`KLqeJmintnqrsHDn76~waB@pI`O@l8OfZ2EJwSU9Vu5ds z8?I67OI73E&-#Hx70t8ToEs7_iixfJtdXi_P+DF(UVrz41n6#`dGB%Bgq3zUyuUkcX+zP3n3rT-$WubhX$V!)i!NPTL2+6<0p^BC z6u)bzS|cnlRpZXAHlphcJ0H`a+cl*E2(nYx9q&98&+2ET?r^61MJ3=9hdtDJ<9;$8 z-xF)nqk!55urU5_92w}E-zj0@vN7Tof0}(;bzv%MeoB~^kIq(6!&$&2S?2kz#>k>W zTh*ay7ML9IkF6`;wsu~GzXMdTqwR@S5S4sUJ;YW7>d*@o$!pi@H(k>PF+`4_L`)>^ zOMoTDxK#k*lfwl&owFpZDFmb;%nLdkJH0aYvk&Nw4y&)v><|EfZwtr^xz4zB3Kz9urmBIt;Vh6&O9JJh1q6 zGjuGOWr4J*Pw(;0HeT;{9>t%+&j8R6a8DTtSy}KR8|ZiE^cgtX+`Zg={<|8TDlpA0 z2pE|gU?0}oj&+pJo*kNvH!1gGr2>Sr4{%-fzeR8oibF#V>qq-gtnR)DKX>>io-|HeO_I1fC#oY`-hP=c_KEZ*Q^SA&@B(O-3`x> z6R9LTBzdK6!c2mKIDsbdAXj^jJQ;euH*bvAD_d{2iHBP^d?*D&xq2hu!jQ0kUPcA1 zE_uIqYc;9iz59OkFFmY+LiTY}5>T)HjF;n@p6VPkKUw0T#yU}i7;vHQ$2Yv+zpWD` zHQN2P3eLfUgc<*Vmc@VSQp>=t%IQIiN#^@!79^bzoExE!}^D3|Rfb@gI*p zbRNWHBatJ6awVJoR*5E9+xF31_dbhZ)jy)2^-nQm1^kvK*wP40+-HD=HAV6gDrlQk zti1EFhiz1-x3mC7|6!4l1M!UQtrng?%Wy*S(Wy_b=!z=z^}$tC3v22}$N)_C^m6=l zm+8hWDR3b>(4YSuqb<{G2+%JTPTsB|Ix(v)CHu35r@b;Zd5becMm934pSh{Nj@q`Y zD*|qlcHm2lC8d%9B>-;2kGSlIBPW3Q2t5$}AGK-zU3OQG=|c{`36G9_(0WSck%P%y zghbyvK3YU^IUPrsVi@-O@qjpylaJTT}ZmCeI`YkyYX3<@^ zi(ZPMVu*Z?5S%6GN9PHFTx09BIMzUO@4Y<%czz0 zeA;r9Vg(J1+huEr21G)4Z8F0>ly5pOW9Y{%31WcGHwUp{R`ZwMxNk28`tnrR8wOUs^$QLOpk!OTwY{nL^z^PW(=Fg z`YTX_$5LQYnQispwRY7>{Wb?pz1KOD{=?Ekj;jiKNiA2BHnJl4djeN`i;LduKf)mH zG*}jB#ULHb0gq&|*6QxkAu%JwXKqS4{|DF%gOCcw&>&0&&#MK<@4X>oF%Rp>>0sk zt%Zu;?%o=5!OInjna(@yci(_2v)UXV-{G#W1xRML2Udx?VdU9^aJWiu*3g9~&s|LR zH}@XfX%laQK3tHa1E*bjouekXd1qhuq%K6sv~dZkJE&yf5!g>>5gdbjrTAvUUOT|`h4)N3k{qd zzCXoRACWbrzAbh7t$I&X+F_Y@)0%y)jxAUuC%O)mjV|_qyQ@U>-<+qq=)N2qO6Ua-p$e3tzhVZiz5IWNDY0?{u~K5-w3I zWtOWAxoj;33s0!&Eh&BmQw*PYJ{UsiV~7okAH!Y(aPo(Q@0GU6SIA6yss`Hk^$DJO|0> zoego>Nf{9`SZA~`r5l8C`ZNn>eaIiK9A$Rf`RyP@&EYS^{C;AEMJ6kMAp5^#kx1(b zt*B=NR|fptDAU~=pO9FiM=L>7oeo%OR#nZCBSS;@XS_IA_JmCFxGMK@URNJD+ERUL ze#p`Z#p(=Y3cyDWgC0&PC@LAIJcbL|N)8LreKx=m@p)s2CTT4@Cftl0qm6c`g)`44 zU^Jqtr;DcTY^nZh7xo(v0GV>|{RXW_6*||RS_J!BJ4Qyfm0OH&tLdWQGBIj0uZcL} z2F7NZZy1OOI(PB%Eoj;|1sm2bD)CdGhf?(>9g&~`8K3Fxpe8D8rL+?}FfPK42CM0@ z`6%Dof*$jDf{tIYg7Bxc^4EWfo%tERHn*CqL_ColsAXy5hp>?s=f)e3g_lXsN4 z3V}Vbp$~ztL9G~CZF7QH>r)?faL+tvEJ__7RfyTujaLZE*9Q?aTNIFM{`GCX@1KSC zp7U?i8NNYa>V&6^9fP$tzN|Hb)6nH*qM(o*;3_nVmWWX#G$TZkZ0fNq5bNe?zUSjz zWJtH8>*Mg7QV;-+(>eZvtBrLzoBu{sBjP1z8f|6{t`%$1ybbf*-W8#ykhL_);QK89 z(D*^4j_(&VJvn-%1Y`bawl*ECWheO^7AhX?`32%Lx?tH9o=H;Q>PjM5Wbm2%yl$jS zh*mO9;Z`0kc)G;DM$5^$=2V>hKju&j)bPDa0X|Z-?+w7f4;wO$B*dn8^4e_X>Ox78 z<^A$I_S9rLwy{y{Q7%Px%Adqdv#1|U{}ZrM$~7s{bM4j?4l;2K2XCG)2jit9F4h=0 zy@UkK9gIOcWan+z<$n8E_wl|D-x~rqLRM>Ps=I_Im%xTiO0CV0k?0vUsF^RgfOgu9 zysQ!}w;3S#M}An7v~5~ftUk7khKCG7Qa3P_)FjsH2p4!Kr>cijP$Ioty2{k@yENK; z){8H8PVPTvFTS}55Y5x2q1&FpjE>!!yuwVyI1Lqp#ASeKDu@6}w3oTy18F$&`w`}1 zncBSZ0yH$y8~Y**yTx9~NB5jlUB0pRZXdjcR?GpceVs#hj#t7wdY8+=EEH=R+KT9o zxn|4J4sx)Mru^7L*k0GWzE7V;eK$daheA37Ze+ryW~PLO4eDOUvpIxF5@Z!IiQ7FP z3k~wr($eJEr|Om(^+oo}(r5Opp-geSmLYLi)+uoM5i8sUp+8rH8T$QLtGy!XB-~5{ z)tdlx{vgGRHA^xT_)F+Xw40?yD@Jti5iZYm@>Md;vOe9zbtwV>cgSry}Ugn(9n1WUNp26fJUKni5p&oHQRE>z{N)b)87rW2gI!jg=d%5C` z+p~f@?0?M)GDCiB()}Qp^*9dAj533`_+#{`V)IPzeOzg*&6w1glT)8qZB(H)9s~x9 z-us!oXSLt6fV|>4=Q)T@)$))KQ2!?OytIxzajx?&Cv;yNVlp+o9qnjGVO#*vS5z8^_iwtG{W9Lx2U`M(gj80%RG}I?$ z%mz21YNjX(TUIGd!OV^-=7X^S)&+nRJqtx-rxbST?utJO2Nd*Lf6QHvJcPuzcI5A$ zYKM=L>;C-%!C{C^gg-r(#$UhRm?pwZ7McG`;uc62%KMpKKX`QEP8Eylp(r<_#$pzM zq4ptg^}}OiC@pwfpoT4EYx9vEHqARC6E>eaTGN{Af+~ww7BI91DZXi(#s~hbg7%-C z5zlj*fp}e-Hx{tmN{%NG_KtjyAMLLGZIc1!5Bph-h)#8FhSEzy)R5W2%LR{debP@X z02QkbynA%sCCrW9gHI87DfF5Z2pxO-)i+or>k{`Wler8mFG9KF!yc?TC}v|Yc}I7$ zeIiWPKomosV(_RRu)SWA0KEI{iF5&;eoAmVjuxYLI`VX!BP*EEn1~GQLzE67m$mwg zY>(f+{FoIk8oWGerRf_-eDDp5T3G!HXhA`tThNeLq95?(f#A$k7fBf^E9dY(J zzRTWsgpPiyvI@HD5Tt!w=zZbipg+`kt)lB|L1=uc?%WKYVc|o zj=y;#YXcKW4TD)89NFw`Gl9^g;dYrcO7H}y*w}RHS&%HdiMZCh?J`j_bK!)t?m@Nx zycG8GC^$wuAnfZ>7q-5y-9`KH=RN-@8>6NVQ9+}^=Q=zeRwx9 zaGw<>G$BD)gpO@VZ~{iF+7r{TXLzoT)@_YrohxOtW~BKBbT@rG5@ODurfNuLYWtn$ zln$-(tXRK%$8OLr{rS7Wd02s6{c2N1nQkoXvhRb<@bmggH%(68Ma@mer_u1(qbTg0 zqsR3$n`eh_O)muCRm{XMtC$`=N+nbUE{4@M&-5OdVTbUg?%}s2)M(?mN#)aS-bpT( zPZ&LXbdS^&z_dr3T(_cdG+r4OftNuJObXRK3ihr7*&|J?HV>=o;N;uVMXybKAKVM! zK9r*oW~tp@(H`V+?T)m)>C}qw3^_WNB9Brm`$jq#5C06>luguN+u_JyY<7U1>@vm= z@Q#`I%T8VO%^Fa|fPFJp1KpAUG$v%Dy+BMAl%fd$nOX(ef8tFy-PX=r$pgM7+Y1 z@nDdDNr*eXmg`KbTQll7sy%=~)Cf)TI9|$?pH6%i*`{>d}DDS*l*9+*qkAI=!%S_7A7# zv?1+%WG_)$`Ud_Ux4W@|nM<&Xn!}G3m?_WfD7X*W;Vs0*w;#I1TR$DWOV`GJpJ#`^Wv-i^PLCWwaYfRN4yBIndQ{_5jQFZY2>&4ww|_3tGcd48hUBa z`>vgqcG0R$N4CVUN$B{B_)1s-B4gD_Y*>WM$rpWXF*)>@oHXD}-yFP4A^alhFscRa z7@khnVrSjsZZmuu%MjFJ=>8&(yzh8l>K~Gi3J*7G)H$zd6dh zrBH+N;Ub(&?!Qzd3(F5AKfOd!s`Z16C-|Wpe;m>@$yL9T%5F|sVtbDBdOF;n6nfBSg8O<71%-S?~gQh}f8?SZ!gClXkqE24MYAVb&VJ7Y1Cd)?A z8PFB*iuu&_vhmn*$W`olx@K$|;P#Ascpk@dUNi0q-8&n?TMHoS{8ocjaWL6vPW^Vx z^46nOfu4P3;W1#U(dVA$u1;v%TTlG?;PjD^wW`?bUvfA^@q2A$J@`LFBgc1n_hdS@ zuV=pZTPbFSs1c@zI~W1k&pX_axQ>PSWipeEI37EC{uB;IYN z#q|On-mvi@2+`LOV|1NNl{5^ONwO$W&esk3@71J4CTj)(Qk)1#D$$=0FI2g-#JMM! zsG9HjIq_AYt|n;>&lab#s-fYg;||y9_1oWBuv*WgdSrr$Ag7mDiMPD0squ8D{T~#B zB|pFPwahbT;;H`)-0Byf*Z#bR19JMuVf$$?I}>sbZ|Iw6w);?&r#VTQ1GrCBC;R5A z`On`~GU-e2htICok%%R^zgXE_{8hM-*A$kk$NiA|%wkpai!@<|+aEru{G2zAS(8FP zHWJj5V%=;8Rvg~GV$gzb^K56fl9#mdkxfdGg(H+^L#VxhgHLchJVHUUEv%-%2J-&O7aX z1B+A%8(o@-n+RZ3dI=efkA=r6->Om+Xt#DxV`eAUuAXsO1?d{{`*Fd`UmiB5R5$pU z{A?;iNt><3(gReGUqG0UTxvPsHLpR+AIrqgVlX_qLolL*FmyH3s6f-SsAZb-f>bZ&jO?*z4Wqu4 z2_24T(uvykNK9!3p(~V3=IyKWCYkMyw{uc>p-1fi1`|P4!KX58e=wikS^oX8nnnOL z$q!UBds6FrrZ7$h$Mnj&Rzc8kNcod6*$Su}=0-yi!BYZG`Nk&*^COu3@=#wgT((hH3ne>3p-ICurXU-T_ z4=w8Q0q?s1Van?usj5eeUt!rLv6P)SW+0fkCGO0}k1(G05Fu zaBmk)GFIM%vZBt!6xq_Qjsyr&!^KvCWyd!nCv)6-|Wa{c1i-k}`z$fR*=^^afa z&9slBIsXKE1n+MyRCqvl8!esXDp=944H#N_Pzd_IW-aV zX_=woyeL@|MGs2XQoGCaIuV_tySC0qwWss&r`1#SZc&{RJKF)i(NiVo}!M9GEfJ42SR+-CJkKTE;(?_e)K zqnNn1f;b#)f95V=@%jptoD2&)))2DcLyRNy-mm%Hf+aP9j_{)V5!`%>u2=vUgWk~9 zH-T@xb5@pk&tQ^q$uz@7h z+`kmcq-I~>Av)sPOj>FBm9`DXZRw%$HSPmBzSVH62X07n_OuD*yuNZodK=7nQv_QGr*&<3xVU*=KJOr+Q%bq?(pfHR-g@Xa@2qHP zdSCP0387|Z0!agfY-B1qR5K&O7qmoLnfvfbSXIwz)g;x6$ck9lGk^}@szxTXe zDXFJ;utQxw*04}ObV@~uH)MZS8D$2wy+9Vi^plKWGMh{mI-+Z`TB6TCd?()YczSr3 ze|JNswyzs36%jA9LQ#x`9M~z!ojz=SlGZ`rmnhp3`YlVVBn#jH zY%_r=+H@x{V=yH9t0DMYq8-KswC(Z+506GReQn^C!9O=oEg`#|eCfBX#NK}x;I3#9 z@fl%eKX3WHh}J8E6aw;)H=xUDw9Y)Y!MW#XtC&%8zQ2D`)orE%U$7bi7olfS_ruCW z0ZEn!JPp0jEU*%yY#oY!G8#_bs?>+F1n)Tuu}W&RrP}tCp}<@KHwMYQE)|Ey^ps(G zVDYO=JE0P?bn;=CPF<_zISnbI>clM6z79+K->>VP(}bW`O4;}7>6pg0LlU(u=eNQ zKvm=LN^Qw`0vwB9{$t6SDE-ATpIJMHA__;SHMSV^BuPq?8Y#+~I5?4Wo=@wWfVQF9 zAO=Nd`~tuxc-dBc^MpfQw_{NdqIy9!+B{6QuVv}F!<$Ac2@qj3?V9%r8C*4K!EzOjLgr1wFrc*-0o z2So{9ba*CTt`gKv5$$6s6*RF$oiXNvrW9NX1Ht0q7nj28XZRFyjaYwq?y=f{SW4z^q;RgV)`=4o$L z4cZCATuR|>u-XOoMCS++8*f)X9wsOwB(t4qq$+Fy2{k zVm)vh$@%j!$eCdP9JX^&e>Akd`c%Xgt>kqN*A9x8)m@zwII|_UI_J4_qiWFW7wJ^; z36gkZY=2KP@_-~9e(9=CJOPa6P7>e|4v+d?Oq2CV6CO+7F<|q*`;QJbavYdzy#BzY z8YtqbV3>s2?myANd8Z>o zlu?U{KJfxT*lJMdZBW5lpS9c=dAF!Q?)5uKf>jWShK zi-in(rg2W%rccnfr>2<5d#?%Q->$cNW6*jTaVESxTSX}Ss8L3q(@KX;&2mfSuYg04 zxrgRSs`qSyE~z_B8%5EW2gCOA#Ac9Co12#zFjm03u>M6dj{rNwbL&A z1QYD#`3Bea5ThPB1Mq7_ZZDM}9p+~Rdn-YtB z<{84duFIBt-*#BoHc#9@E9>ZkC(YFia(N(Mqqb3zS)OO$ zO3mKKkt6XH!-<90k+lE+R zHng;`E=-?bmu7g|qN}jWp)KsX&UEX{(_{IdYyg)eTc2x;O z4SgNbQpaP!Gi}{a4J4^gsK_CjY|ihTxFcIkkmu))e%!tX^x3Dy~Pz~jZZio>PHK&8liy z@)Q`v{uwW(F!7K{Zg-VlRY;Akn*%jd^Fx+i=)2BPmOy;8Fli512@^Bd$g?z6a{-hp zAp?k!(}ltn3}`Cap&G>)WaqNep_*kc<=QU8;S6RMYGe~|+p?sjsZVXQq;aIz5YoGC zkQC<=9QeIF+hBc*Z-9Zr!mP=<0&&G5Lx9J-h20&teXOjjtCkNjyUc!N!1!_h6AomW z=fr;Dv6o#MglFrFNo5bknihB2*iEs|L|N1p^jOCe2-ifjj6L;Nyxu1i=4bp|Cupw5 z@IrH@k+r{SoU_fIq~*9+dLO>&6J@PR;6!ZVOW-G6D~Z1wnnFYqasl%l< z8r`A1#QG>P2*Geb6~WHGip%#~p7ZHE(;&z&lBC6xKOZ}26{vV|6gyYe)2KdS0P3nk3LW*Sp#-lyI_sX+H&UXXnL9ptF2=IB z`V<+TW{$OJI@&dXf$Cu&p~a7;Qb((dJu)(o_ef2c)y>_6(2KZ0;s3ifSjiWz&) zrLtE1A_{&S-8%D&0vc41?_+IUW=nG-+jx~vaa=2p)3Fi$9kUn5L#7!hDUXpb%pUD- z*OGY&NXWNJ`&QQJiDpM10*Y#t3^ofJIFrs0)9#n%VO}?VqgHbn1m%pxgo>UdTcO+X zWj<4j@oWaqnR8WeA6)gHNIZ5SMP4_BH5*q)r2;tyklxzW9bp2i&@1KJlezQPiHH=# zoGJ|+|27Ep1@CmK9Bre@DvKCQ>FN}0e(_JeeWjbfZ^pr)gc59|DhCPwn(HtI>Tqep zk*y2G)iBl=B#@hDXby)`gGQ$)@-y~8UFXgZ50$Y`oKk>q2cduFq4}z?4Ic%v?Eedo zxi98ii?k(c_^Y=(&U~6gGqszjJt%u__g_;fF=9?T0`*EU!cZfd=CoJgfZi}#w!!xb z2VLja%)v=)?sY^*Q5cfu%R;qe_uhmBoo$TeF4wtV@o8Ngk~1B<2-s5IVWE*O!wWP~ zUwlZAE$Anl;k}I2$n;AiS}k$t9Ee2Xi0m5G9Pz;W()eSFtbW9H(s_UEA^bE!KqZVbYO)kD09nj^#2jzsVsre?2iHULH}ZM<&WIM`}X;U=?%@v zQVyHvE)!zmH9Gn+5GZ@vM5QB@jmND*F2eo|Zk866xkt`BsxsMg32HsTt7v>#0TqYv zRBRH#hv8jv?iN~7mM=Zek97<&SnY&H`{A|hK}eDZ zRmb|Fi`;;Nr%48ODpdTqJ3QUx@Y39BIc9_Y116mUf7t2Su0lV~pcG*d(BlgIYo6rn zCG7`+#Fsf4&hN}5cKD)A2v%l!=;=PJ1TO9n-H~cEN!dvL z73Rr48Ksa5gxWI?$RY#O8jFO#ajG-3{Tw}M_=cExe(pIs%DSC@xP7e&db)b<`TL`0 za<~2AI`P|7csFj8F}=6LJ4n%)yXBd!$MFuZ7rwE zdn=ZiwBe}=5@CmCB|a(x}R8r~S?DtdtBR9*~5XwQ#_0yf;-UN$d5w zNB8xT+HIW+vF<#1z1$d`l3sM7M#_m}n0#yXbvQ}jpG<)tS#7YB{IG`sa89E_mlO9< zWWX=(bE?J%uF(1Nz)@I2_l;4fIGYfMfQ2xuJA0?+Qmgr5Q8X^M(c-fZ=8n&~v(2hr z!rjf=clrGriaTC{$2oEZ)ip?IX5pA83;AvdV+XtxIh5;9O<1H7#&w@xqizR$f}_@% zh>DBt@SiU_OwX0xy+~QE8Ifa>>P|i|Jd$NPv zZ?`H7XfH82jEdwy5@SeoCGK%Fl%i(i{9_`RL?#qRhe;D^S`l;^OD4O!;)?Ht`ACNR zFhZGrjQbqHnykW1wR{&F^kgI7J%xH?1R5Ka*!B+D^Mhi;G95qnSOYZbtKSOt!)qnR z8wwnD2;aKR#5B3|nCRGw{4t^mlAh;V=Nnz`+9-=ob% ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..ae2fa67f8 100644 +index 1d732f1e7..fc127e1d7 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3519,7 +3519,7 @@ index 1d732f1e7..ae2fa67f8 100644 -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -dontaudit useradd_t self:capability sys_tty_config; -+allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; ++allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + +dontaudit useradd_t self:capability { net_admin sys_tty_config }; +dontaudit useradd_t self:cap_userns { sys_ptrace }; @@ -32017,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..fe21bfc46 100644 +index 8b403774f..7eb9dade6 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32382,7 +32382,7 @@ index 8b403774f..fe21bfc46 100644 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; ++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search dac_override fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; +allow xdm_t self:capability2 { block_suspend }; +allow xdm_t self:cap_userns { kill }; +dontaudit xdm_t self:capability sys_admin; @@ -37885,7 +37885,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..7d76c87ce 100644 +index 17eda2480..f049f18e3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38294,17 +38294,16 @@ index 17eda2480..7d76c87ce 100644 +optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + systemd_allow_mount_dir(init_t) +') + @@ -38465,13 +38464,14 @@ index 17eda2480..7d76c87ce 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + lldpad_relabel_tmpfs(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + consolekit_manage_log(init_t) +') + @@ -38491,10 +38491,9 @@ index 17eda2480..7d76c87ce 100644 + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) +') @@ -38503,14 +38502,15 @@ index 17eda2480..7d76c87ce 100644 + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +641,30 @@ optional_policy(` +@@ -216,7 +641,34 @@ optional_policy(` ') optional_policy(` @@ -38524,6 +38524,10 @@ index 17eda2480..7d76c87ce 100644 +') + +optional_policy(` ++ sysnet_filetrans_cloud_net_conf(init_t) ++') ++ ++optional_policy(` + udev_read_db(init_t) + udev_relabelto_db(init_t) + udev_create_kobject_uevent_socket(init_t) @@ -38542,7 +38546,7 @@ index 17eda2480..7d76c87ce 100644 ') ######################################## -@@ -225,9 +673,9 @@ optional_policy(` +@@ -225,9 +677,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38554,7 +38558,7 @@ index 17eda2480..7d76c87ce 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +710,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38571,7 +38575,7 @@ index 17eda2480..7d76c87ce 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +735,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38614,7 +38618,7 @@ index 17eda2480..7d76c87ce 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +772,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38626,7 +38630,7 @@ index 17eda2480..7d76c87ce 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +784,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38637,7 +38641,7 @@ index 17eda2480..7d76c87ce 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +795,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38647,7 +38651,7 @@ index 17eda2480..7d76c87ce 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +804,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38655,7 +38659,7 @@ index 17eda2480..7d76c87ce 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +811,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38663,7 +38667,7 @@ index 17eda2480..7d76c87ce 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +819,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38681,7 +38685,7 @@ index 17eda2480..7d76c87ce 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +837,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38695,7 +38699,7 @@ index 17eda2480..7d76c87ce 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +852,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38709,7 +38713,7 @@ index 17eda2480..7d76c87ce 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +865,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38720,7 +38724,7 @@ index 17eda2480..7d76c87ce 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +878,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38728,7 +38732,7 @@ index 17eda2480..7d76c87ce 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +897,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38752,7 +38756,7 @@ index 17eda2480..7d76c87ce 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +930,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38760,7 +38764,7 @@ index 17eda2480..7d76c87ce 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +964,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38771,7 +38775,7 @@ index 17eda2480..7d76c87ce 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +984,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +988,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38780,7 +38784,7 @@ index 17eda2480..7d76c87ce 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +999,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +1003,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38788,7 +38792,7 @@ index 17eda2480..7d76c87ce 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1024,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38796,7 +38800,7 @@ index 17eda2480..7d76c87ce 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1034,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38841,7 +38845,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1079,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38873,7 +38877,7 @@ index 17eda2480..7d76c87ce 100644 ') ') -@@ -577,6 +1110,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1114,39 @@ ifdef(`distro_suse',` ') ') @@ -38913,7 +38917,7 @@ index 17eda2480..7d76c87ce 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1155,8 @@ optional_policy(` +@@ -589,6 +1159,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38922,7 +38926,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -610,6 +1178,7 @@ optional_policy(` +@@ -610,6 +1182,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38930,7 +38934,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -626,6 +1195,17 @@ optional_policy(` +@@ -626,6 +1199,17 @@ optional_policy(` ') optional_policy(` @@ -38948,7 +38952,7 @@ index 17eda2480..7d76c87ce 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1222,13 @@ optional_policy(` +@@ -642,9 +1226,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38962,7 +38966,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -657,15 +1241,11 @@ optional_policy(` +@@ -657,15 +1245,11 @@ optional_policy(` ') optional_policy(` @@ -38980,7 +38984,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -686,6 +1266,15 @@ optional_policy(` +@@ -686,6 +1270,15 @@ optional_policy(` ') optional_policy(` @@ -38996,7 +39000,7 @@ index 17eda2480..7d76c87ce 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1315,7 @@ optional_policy(` +@@ -726,6 +1319,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -39004,7 +39008,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -743,7 +1333,13 @@ optional_policy(` +@@ -743,7 +1337,13 @@ optional_policy(` ') optional_policy(` @@ -39019,7 +39023,7 @@ index 17eda2480..7d76c87ce 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1362,10 @@ optional_policy(` +@@ -766,6 +1366,10 @@ optional_policy(` ') optional_policy(` @@ -39030,7 +39034,7 @@ index 17eda2480..7d76c87ce 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1375,20 @@ optional_policy(` +@@ -775,10 +1379,20 @@ optional_policy(` ') optional_policy(` @@ -39051,7 +39055,7 @@ index 17eda2480..7d76c87ce 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1397,10 @@ optional_policy(` +@@ -787,6 +1401,10 @@ optional_policy(` ') optional_policy(` @@ -39062,7 +39066,7 @@ index 17eda2480..7d76c87ce 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1422,6 @@ optional_policy(` +@@ -808,8 +1426,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39071,7 +39075,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -818,6 +1430,10 @@ optional_policy(` +@@ -818,6 +1434,10 @@ optional_policy(` ') optional_policy(` @@ -39082,7 +39086,7 @@ index 17eda2480..7d76c87ce 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1443,12 @@ optional_policy(` +@@ -827,10 +1447,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39095,7 +39099,7 @@ index 17eda2480..7d76c87ce 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1475,62 @@ optional_policy(` +@@ -857,21 +1479,62 @@ optional_policy(` ') optional_policy(` @@ -39159,7 +39163,7 @@ index 17eda2480..7d76c87ce 100644 ') optional_policy(` -@@ -887,6 +1546,10 @@ optional_policy(` +@@ -887,6 +1550,10 @@ optional_policy(` ') optional_policy(` @@ -39170,7 +39174,7 @@ index 17eda2480..7d76c87ce 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1560,218 @@ optional_policy(` +@@ -897,3 +1564,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -47059,10 +47063,10 @@ index 1447687d5..0b1da4d3e 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 40edc18ab..95f4458d2 100644 +index 40edc18ab..be7317733 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,23 +17,29 @@ ifdef(`distro_debian',` +@@ -17,23 +17,31 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -47094,10 +47098,12 @@ index 40edc18ab..95f4458d2 100644 +/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ') +/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++ ++/var/run/cloud-init(/.*)? gen_context(system_u:object_r:net_conf_t,s0) # # /sbin -@@ -44,6 +50,7 @@ ifdef(`distro_redhat',` +@@ -44,6 +52,7 @@ ifdef(`distro_redhat',` /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) @@ -47105,7 +47111,7 @@ index 40edc18ab..95f4458d2 100644 /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -@@ -55,6 +62,21 @@ ifdef(`distro_redhat',` +@@ -55,6 +64,21 @@ ifdef(`distro_redhat',` # # /usr # @@ -47127,7 +47133,7 @@ index 40edc18ab..95f4458d2 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -77,3 +99,6 @@ ifdef(`distro_debian',` +@@ -77,3 +101,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -47135,7 +47141,7 @@ index 40edc18ab..95f4458d2 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692c0..e3cb4f2ef 100644 +index 2cea692c0..853ddefe4 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -47562,7 +47568,7 @@ index 2cea692c0..e3cb4f2ef 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1057,144 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1057,162 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -47707,6 +47713,24 @@ index 2cea692c0..e3cb4f2ef 100644 + + files_etc_filetrans($1, net_conf_t, file) +') ++ ++######################################## ++## ++## Transition to cloud-init named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_filetrans_cloud_net_conf',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ files_pid_filetrans($1, net_conf_t, dir, "cloud-init") ++') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index a392fc4bc..d29b7f6fb 100644 --- a/policy/modules/system/sysnetwork.te diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 55371764..fec6564c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -68669,7 +68669,7 @@ index 6837e9a2b..8d6e33b00 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a362..1a037b974 100644 +index 63957a362..91dead6e7 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -68710,7 +68710,7 @@ index 63957a362..1a037b974 100644 # -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; -+allow openvpn_t self:capability { dac_read_search ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; ++allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; @@ -97220,7 +97220,7 @@ index 50d07fb2e..a34db489c 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441e7..8f17d3b19 100644 +index 2b7c441e7..6d5786b06 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -97590,10 +97590,12 @@ index 2b7c441e7..8f17d3b19 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -298,65 +322,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -297,66 +321,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") - ++allow smbd_t samba_var_t:file { map } ; ++ +manage_dirs_pattern(smbd_t, samba_spool_t, samba_spool_t) +manage_files_pattern(smbd_t, samba_spool_t, samba_spool_t) +manage_lnk_files_pattern(smbd_t, samba_spool_t, samba_spool_t) @@ -97602,7 +97604,7 @@ index 2b7c441e7..8f17d3b19 100644 + +allow smbd_t smbcontrol_t:process { signal signull }; +allow smbd_t smbcontrol_t:unix_dgram_socket sendto; -+ + manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) @@ -97687,7 +97689,7 @@ index 2b7c441e7..8f17d3b19 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) -@@ -366,44 +397,53 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +398,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -97753,7 +97755,7 @@ index 2b7c441e7..8f17d3b19 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +460,16 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -97780,7 +97782,7 @@ index 2b7c441e7..8f17d3b19 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +478,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -97788,7 +97790,7 @@ index 2b7c441e7..8f17d3b19 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,15 +486,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -97808,7 +97810,7 @@ index 2b7c441e7..8f17d3b19 100644 ') optional_policy(` -@@ -466,6 +498,7 @@ optional_policy(` +@@ -466,6 +499,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -97816,7 +97818,7 @@ index 2b7c441e7..8f17d3b19 100644 ') optional_policy(` -@@ -474,11 +507,31 @@ optional_policy(` +@@ -474,11 +508,31 @@ optional_policy(` ') optional_policy(` @@ -97848,7 +97850,7 @@ index 2b7c441e7..8f17d3b19 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +541,10 @@ optional_policy(` +@@ -488,6 +542,10 @@ optional_policy(` ') optional_policy(` @@ -97859,7 +97861,7 @@ index 2b7c441e7..8f17d3b19 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,12 +556,53 @@ optional_policy(` +@@ -499,12 +557,53 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -97914,7 +97916,7 @@ index 2b7c441e7..8f17d3b19 100644 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow nmbd_t self:fd use; allow nmbd_t self:fifo_file rw_fifo_file_perms; -@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +611,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -97929,7 +97931,7 @@ index 2b7c441e7..8f17d3b19 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +627,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -97954,7 +97956,7 @@ index 2b7c441e7..8f17d3b19 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +644,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -98023,7 +98025,7 @@ index 2b7c441e7..8f17d3b19 100644 ') optional_policy(` -@@ -606,18 +693,29 @@ optional_policy(` +@@ -606,18 +694,29 @@ optional_policy(` ######################################## # @@ -98059,7 +98061,7 @@ index 2b7c441e7..8f17d3b19 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +726,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -98111,7 +98113,7 @@ index 2b7c441e7..8f17d3b19 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +766,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -98147,7 +98149,7 @@ index 2b7c441e7..8f17d3b19 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +793,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -98240,7 +98242,7 @@ index 2b7c441e7..8f17d3b19 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +872,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -98264,7 +98266,7 @@ index 2b7c441e7..8f17d3b19 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +886,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -98307,7 +98309,7 @@ index 2b7c441e7..8f17d3b19 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +916,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -98321,7 +98323,7 @@ index 2b7c441e7..8f17d3b19 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +938,20 @@ optional_policy(` +@@ -840,17 +939,20 @@ optional_policy(` # Winbind local policy # @@ -98348,7 +98350,7 @@ index 2b7c441e7..8f17d3b19 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +962,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -98359,7 +98361,7 @@ index 2b7c441e7..8f17d3b19 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -871,40 +971,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) files_var_filetrans(winbind_t, samba_var_t, dir, "samba") @@ -98416,7 +98418,7 @@ index 2b7c441e7..8f17d3b19 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1016,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -98475,7 +98477,7 @@ index 2b7c441e7..8f17d3b19 100644 ') optional_policy(` -@@ -959,31 +1076,36 @@ optional_policy(` +@@ -959,31 +1077,36 @@ optional_policy(` # Winbind helper local policy # @@ -98519,7 +98521,7 @@ index 2b7c441e7..8f17d3b19 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1119,38 @@ optional_policy(` +@@ -997,25 +1120,38 @@ optional_policy(` ######################################## # @@ -117240,7 +117242,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..6b27ef4c9 100644 +index f03dcf567..a287ebdf0 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -117478,11 +117480,11 @@ index f03dcf567..6b27ef4c9 100644 -virt_domain_template(svirt_prot_exec) +role system_r types svirt_t; +typealias svirt_t alias qemu_t; - --type virt_cache_t alias svirt_cache_t; ++ +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; -+ + +-type virt_cache_t alias svirt_cache_t; +type qemu_exec_t, virt_file_type; + +type virt_cache_t alias svirt_cache_t, virt_file_type; @@ -117845,37 +117847,37 @@ index f03dcf567..6b27ef4c9 100644 -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) -+allow svirt_t self:process ptrace; - +- -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- ++allow svirt_t self:process ptrace; + -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -- --corenet_udp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) --corenet_udp_bind_generic_node(svirt_t) ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_bind_generic_node(svirt_t) - -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) - corenet_udp_bind_generic_node(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) corenet_udp_bind_all_ports(svirt_t) @@ -118040,12 +118042,12 @@ index f03dcf567..6b27ef4c9 100644 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -118145,13 +118147,13 @@ index f03dcf567..6b27ef4c9 100644 +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -+systemd_dbus_chat_logind(virtd_t) -+systemd_write_inhibit_pipes(virtd_t) - +- -ifdef(`hide_broken_symptoms',` - dontaudit virtd_t self:capability { sys_module sys_ptrace }; -') -- ++systemd_dbus_chat_logind(virtd_t) ++systemd_write_inhibit_pipes(virtd_t) + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -118205,7 +118207,7 @@ index f03dcf567..6b27ef4c9 100644 ') optional_policy(` -@@ -691,99 +653,433 @@ optional_policy(` +@@ -691,99 +653,437 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -118349,6 +118351,10 @@ index f03dcf567..6b27ef4c9 100644 + fs_append_nfs_files(virtlogd_t) +') + ++optional_policy(` ++ systemd_write_inhibit_pipes(virtlogd_t) ++') ++ +######################################## +# +# virtual domains common policy @@ -118536,18 +118542,16 @@ index f03dcf567..6b27ef4c9 100644 + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) - ') - - optional_policy(` -- lvm_domtrans(virtd_t) ++') ++ ++optional_policy(` + tunable_policy(`virt_use_glusterd',` + glusterd_manage_pid(virt_domain) + ') ') -optional_policy(` -- mount_domtrans(virtd_t) -- mount_signal(virtd_t) +- lvm_domtrans(virtd_t) +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) @@ -118557,9 +118561,8 @@ index f03dcf567..6b27ef4c9 100644 ') -optional_policy(` -- policykit_domtrans_auth(virtd_t) -- policykit_domtrans_resolve(virtd_t) -- policykit_read_lib(virtd_t) +- mount_domtrans(virtd_t) +- mount_signal(virtd_t) +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -118569,7 +118572,9 @@ index f03dcf567..6b27ef4c9 100644 ') -optional_policy(` -- qemu_exec(virtd_t) +- policykit_domtrans_auth(virtd_t) +- policykit_domtrans_resolve(virtd_t) +- policykit_read_lib(virtd_t) +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) @@ -118580,20 +118585,23 @@ index f03dcf567..6b27ef4c9 100644 ') optional_policy(` -- sasl_connect(virtd_t) +- qemu_exec(virtd_t) + tunable_policy(`virt_use_pcscd',` + pcscd_stream_connect(virt_domain) + ') ') optional_policy(` -- kernel_read_xen_state(virtd_t) -- kernel_write_xen_state(virtd_t) +- sasl_connect(virtd_t) + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + ') -+') + ') +-optional_policy(` +- kernel_read_xen_state(virtd_t) +- kernel_write_xen_state(virtd_t) +- - xen_exec(virtd_t) - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) @@ -118688,7 +118696,7 @@ index f03dcf567..6b27ef4c9 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1094,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -118715,7 +118723,7 @@ index f03dcf567..6b27ef4c9 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1114,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -118749,7 +118757,7 @@ index f03dcf567..6b27ef4c9 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1147,20 @@ optional_policy(` +@@ -856,14 +1151,20 @@ optional_policy(` ') optional_policy(` @@ -118771,7 +118779,7 @@ index f03dcf567..6b27ef4c9 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1185,66 @@ optional_policy(` +@@ -888,49 +1189,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -118856,7 +118864,7 @@ index f03dcf567..6b27ef4c9 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1260,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -118876,7 +118884,7 @@ index f03dcf567..6b27ef4c9 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,15 +1281,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -118884,72 +118892,125 @@ index f03dcf567..6b27ef4c9 100644 + selinux_mount_fs(virtd_lxc_t) selinux_unmount_fs(virtd_lxc_t) +-selinux_get_enforce_mode(virtd_lxc_t) +-selinux_get_fs_mount(virtd_lxc_t) +-selinux_validate_context(virtd_lxc_t) +-selinux_compute_access_vector(virtd_lxc_t) +-selinux_compute_create_context(virtd_lxc_t) +-selinux_compute_relabel_context(virtd_lxc_t) +-selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) -+ -+term_use_generic_ptys(virtd_lxc_t) -+term_use_ptmx(virtd_lxc_t) -+term_relabel_pty_fs(virtd_lxc_t) -+ -+auth_use_nsswitch(virtd_lxc_t) -+ -+logging_send_syslog_msg(virtd_lxc_t) -+ -+seutil_domtrans_setfiles(virtd_lxc_t) -+seutil_read_default_contexts(virtd_lxc_t) -+ - selinux_get_enforce_mode(virtd_lxc_t) - selinux_get_fs_mount(virtd_lxc_t) - selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t) - selinux_compute_relabel_context(virtd_lxc_t) - selinux_compute_user_contexts(virtd_lxc_t) --term_use_generic_ptys(virtd_lxc_t) --term_use_ptmx(virtd_lxc_t) --term_relabel_pty_fs(virtd_lxc_t) -+sysnet_exec_ifconfig(virtd_lxc_t) + term_use_generic_ptys(virtd_lxc_t) + term_use_ptmx(virtd_lxc_t) +@@ -982,186 +1295,307 @@ auth_use_nsswitch(virtd_lxc_t) --auth_use_nsswitch(virtd_lxc_t) -+systemd_dbus_chat_machined(virtd_lxc_t) - --logging_send_syslog_msg(virtd_lxc_t) -+userdom_read_admin_home_files(virtd_lxc_t) + logging_send_syslog_msg(virtd_lxc_t) -miscfiles_read_localization(virtd_lxc_t) +- + seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) + seutil_read_default_contexts(virtd_lxc_t) + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +- +-######################################## +-# +-# Common virt lxc domain local policy +-# +- +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; ++selinux_get_enforce_mode(virtd_lxc_t) ++selinux_get_fs_mount(virtd_lxc_t) ++selinux_validate_context(virtd_lxc_t) ++selinux_compute_access_vector(virtd_lxc_t) ++selinux_compute_create_context(virtd_lxc_t) ++selinux_compute_relabel_context(virtd_lxc_t) ++selinux_compute_user_contexts(virtd_lxc_t) + +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; ++sysnet_exec_ifconfig(virtd_lxc_t) + +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; ++systemd_dbus_chat_machined(virtd_lxc_t) + +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; ++userdom_read_admin_home_files(virtd_lxc_t) + +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) --seutil_domtrans_setfiles(virtd_lxc_t) --seutil_read_config(virtd_lxc_t) --seutil_read_default_contexts(virtd_lxc_t) +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') --sysnet_domtrans_ifconfig(virtd_lxc_t) +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +optional_policy(` + container_exec_lib(virtd_lxc_t) +') -+ + +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-corecmd_exec_all_executables(svirt_lxc_domain) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') - ######################################## - # --# Common virt lxc domain local policy +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) ++######################################## ++# +# svirt_sandbox_domain local policy - # ++# +allow svirt_sandbox_domain self:key manage_key_perms; +dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; + @@ -118973,7 +119034,9 @@ index f03dcf567..6b27ef4c9 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ + +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -119063,113 +119126,43 @@ index f03dcf567..6b27ef4c9 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ + +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +optional_policy(` +tunable_policy(`virt_sandbox_share_apache_content',` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) + ') +') -+ + +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- -clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') -+ + +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') -+ + +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_sandbox_domain) + fs_manage_nfs_files(svirt_sandbox_domain) @@ -119180,7 +119173,8 @@ index f03dcf567..6b27ef4c9 100644 + fs_exec_nfs_files(svirt_sandbox_domain) + kernel_rw_fs_sysctls(svirt_sandbox_domain) +') -+ + +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_dirs(svirt_sandbox_domain) @@ -119188,7 +119182,9 @@ index f03dcf567..6b27ef4c9 100644 + fs_manage_cifs_symlinks(svirt_sandbox_domain) + fs_exec_cifs_files(svirt_sandbox_domain) +') -+ + +-optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) +tunable_policy(`virt_sandbox_use_fusefs',` + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) @@ -119344,7 +119340,7 @@ index f03dcf567..6b27ef4c9 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1608,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119359,7 +119355,7 @@ index f03dcf567..6b27ef4c9 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1622,7 @@ optional_policy(` +@@ -1192,7 +1626,7 @@ optional_policy(` ######################################## # @@ -119368,7 +119364,7 @@ index f03dcf567..6b27ef4c9 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1635,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index bbbab847..8490093f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 289%{?dist} +Release: 290%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,13 @@ exit 0 %endif %changelog +* Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290 +- Allow virtlogd_t domain to write inhibit systemd pipes. +- Add dac_override capability to openvpn_t domain +- Add dac_override capability to xdm_t domain +- Allow dac_override to groupadd_t domain BZ(1497081) +- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) + * Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289 - Allow tlp_t domain stream connect to sssd_t domain - Add missing dac_override capability